Expedia Product Security Advisory: Cruise Ship Centers Information Disclosure

[Mike Sheward <msheward () expedia com>]

Expedia Product Security Advisory on 6/5/2015
Product: Expedia CruiseShipCenters (CruiseShipCenters.com)

Vulnerability Type: Insecure Direct Object Reference
Impact: Unauthorized Information Disclosure

Credit: Paul O¹Neil, IDT911 Consulting (http://idt911.com/)

Background:

During the booking finishing process with Expedia Cruise Ship Centers it
was discovered that a GET parameter (namely Œctoid') found in the
following URL, could be modified to disclose information regarding other
users of the application who had previously made
 a booking:

https://cruise.expedia.com/Book/Payment5.aspx

Once the issue was remediated, an investigation by the Expedia Incident
Response team determined that we have no reason to believe this
vulnerability was maliciously exploited.

Remedition Timeline:

Initial Discovery by Mr O'Neil: 5/27/15
Initial Response and Investigation by Expedia Incident Response: 5/27/15
Issue Confirmed Remediated: 6/3/15

Expedia Policy on Responsible Disclosures:

Expedia, Inc. and its affiliated businesses encourage users to report
vulnerabilities discovered on any of our Internet sites. If you think you
have discovered a vulnerability in the Web application code on any of our
sites, please send us an email via respdisc () expedia com
 with the following information:

* Date and time of discovery
* Specific code 
* Proof of concept exploit information

We appreciate your willingness to participate in our efforts to keep
Expedia safe and secure, and will publicly acknowledge your contributions.
The scope of this program is limited to Expedia-owned Web applications,
including Hotels.com, Hotwire.com, Expedia CruiseShipCenters, Venere.com,
Egencia.com, and VIA.com.

Thank you,

Mike Sheward
Enterprise Information Security
 Director,
 Security Operations Center and Security Incident Response
Expedia, Inc.